Apache Struts Vulns Threatens Fortune 500 Data

Security researchers at lgtm.com have discovered a critical remote code execution vulnerability in Apache Struts—a situation that could affect at least 65% of the Fortune 100.

Struts is a popular open-source framework for developing web applications in the Java programming language. lgtm cited analyst Fintan Ryan at RedMonk in noting that it is estimated that 65% of F100 organizations have developed applications using the framework.

“The Struts framework is used by an incredibly large number and variety of organizations,” said Man Yue Mo, one of the lgtm security researchers who discovered the flaw. “This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications. Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser. Organizations who use Struts should upgrade their components immediately.”

A working exploit—and lgtm said that “multiple working exploits were observed on various internet sites”—gives attackers access to the web servers and, from there, corporate data.

“Web-based remote code execution techniques are some of the most dangerous types of exploits because of their low barrier of entry. In a lot of cases, they don’t require credentials – data can simply be sent to the site in a form, calling an API or even in the requesting of a URL,” said Brian Robinson, senior director of security technology at Cylance, via email. “They can also easily bypass firewall and intrusion detection systems – because entering data in a web form is ‘normal’ behavior—which can result in the attacker being able to deliver malicious payloads such as malware to the target server.”

All versions of Struts since 2008 are affected, and all web applications using the framework’s widespread REST plugin are vulnerable. That means that while a patch is available here, it won’t solve all of the issues immediately, since Struts is a component in many other pieces of software as well.

“This vulnerability is potentially very damaging due to the large number of sites that rely upon this framework,” a CISO of a Tier 1 bank told lgtm. “Coupled with the complexities to remediate, as code will have to be changed as opposed to just applying a vendor patch, this has the potential to be worse than the POODLE attack was.”

Mike Pittenger, VP of security strategy at Black Duck Software, elaborated on the point: “Once again, we see the importance of having full visibility to all of the components used in your software. While neither Tenable nor Rapid7 appear to have plug-ins for detecting this yet, they undoubtedly will. But then organizations are forced to scan their entire environment, using the plug-in to identify vulnerable versions of Struts. This can take days, as it did for many organizations when Heartbleed was disclosed. Worse yet, this fire drill happens with every new critical vulnerability, because the vulnerability assessment tools have no persistent knowledge of the applications we build and the components used.